vpn: refs #8748 - Iptables approche - what to do
This commit is contained in:
parent
0e393b49c8
commit
c1074a90e5
|
|
@ -5,6 +5,7 @@ strongswan_requeriments:
|
||||||
- tcpdump
|
- tcpdump
|
||||||
- iperf
|
- iperf
|
||||||
- conntrack
|
- conntrack
|
||||||
|
- iptables-persistent
|
||||||
certificates:
|
certificates:
|
||||||
- { content: '{{ cert_ipsec }}', dest: '/etc/ipsec.d/certs/cert.pem', mode: 'u=rw,g=r,o=r' }
|
- { content: '{{ cert_ipsec }}', dest: '/etc/ipsec.d/certs/cert.pem', mode: 'u=rw,g=r,o=r' }
|
||||||
- { content: '{{ ca }}', dest: '/etc/ipsec.d/cacerts/ca.pem', mode: 'u=rw,g=r,o=r' }
|
- { content: '{{ ca }}', dest: '/etc/ipsec.d/cacerts/ca.pem', mode: 'u=rw,g=r,o=r' }
|
||||||
|
|
|
||||||
|
|
@ -36,4 +36,28 @@
|
||||||
dest: /etc/strongswan.d/vn.conf
|
dest: /etc/strongswan.d/vn.conf
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: u=rw,g=r,o=r
|
mode: u=rw,g=r,o=r
|
||||||
|
- name: IP forward as a router
|
||||||
|
sysctl:
|
||||||
|
name: net.ipv4.ip_forward
|
||||||
|
value: "1"
|
||||||
|
state: present
|
||||||
|
sysctl_set: yes
|
||||||
|
reload: yes
|
||||||
|
- name: Add iptables rules in rules.v4 file
|
||||||
|
blockinfile:
|
||||||
|
path: /etc/iptables/rules.v4
|
||||||
|
marker: "# {mark} ANSIBLE-MANAGED MANGLE CHAIN MANGED"
|
||||||
|
block: |
|
||||||
|
*mangle
|
||||||
|
:PREROUTING ACCEPT [0:0]
|
||||||
|
:INPUT ACCEPT [0:0]
|
||||||
|
:FORWARD ACCEPT [0:0]
|
||||||
|
:OUTPUT ACCEPT [0:0]
|
||||||
|
:POSTROUTING ACCEPT [0:0]
|
||||||
|
-A PREROUTING -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
|
||||||
|
-A POSTROUTING -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
|
||||||
|
register: iptables
|
||||||
|
- name: Reload iptables rules
|
||||||
|
command: netfilter-persistent reload
|
||||||
|
when: iptables.changed
|
||||||
Loading…
Reference in New Issue